[krbdev.mit.edu #8986] HTTPS client proxy zero configuration

Дилян Палаузов via RT rt-comment at krbdev.mit.edu
Sat Feb 13 10:37:50 EST 2021 

Sat Feb 13 10:37:50 2021: Request 8986 was acted upon.
 Transaction: Ticket created by dilyan.palauzov at aegee.org
       Queue: krb5
     Subject: HTTPS client proxy zero configuration
       Owner: Nobody
  Requestors: dilyan.palauzov at aegee.org
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8986 >


Hello,

https://web.mit.edu/kerberos/krb5-current/doc/admin/realm_config.html#kdc-discovery
states that the Kerberos clients can discover KDC using URI DNS RR.  In
particular that it can use by default - without additional client side
configuration - HTTPS proxy to get a ticket.  As example it shows the
line:

_kerberos.EXAMPLE.COM URI  30 1 krb5srv::kkdcp:https://proxy:89/auth

where kkdcp means the MS-KKDCP type (I do not know what kkdcp is).


https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/https.html#configuring-the-clients
says:
“““
Configure the client to access the KDC and kpasswd service by
specifying their locations in its krb5.conf file in the form of HTTPS
URLs for the proxy server:

kdc = https://server.fqdn/KdcProxy
kpasswd_server = https://server.fqdn/KdcProxy

If the proxy and client are properly configured, client commands such
as kinit, kvno, and kpasswd should all function normally.
”””

• Please amend the “client configuration” to state, that with URI+HTTPS
records no explicit client configuration is necessary for the HTTPS
proxy.

Greetings
  Дилян

More information about the krb5-bugs mailing list